2016 is history. As I have done in last year, I will use the start of a new year to look back at my private blog to see if my experiment is still on track. 2016 was the first year my blog was up and running for a full year. Read more…
Certificate pinning aims to close a trust problem that comes with PKI architecture: you trust the certificate authority (CA) and assume that the server is valid, because you trust the CA. Certificate pinning aims to ensure that you also can also trust the server. How is pinning going to achieve Read more…
Online Certificate Status Protocol, or short: OCSP, let you obtain the revocation status of a certificate. It has some benefits over certification revocation lists, mainly that you can let the OCSP server do the heavy work of validating a certificate and the client gets some additional security when accepting the Read more…
I recently got a new company laptop. While this is generally great news, it means to go through a lot of configurations to adopt the standard image to my needs. One thing I noticed was that after installing a local http server, that Chrome won’t connect to http://localhost:8080, but instead Read more…
Preparations Install some additional packages via yum to ensure that the installation and execution of the database will work. The list may differ, depending on the actual version of CentOS you are using, but the internet gave me back the following packages and you should be on the safe side. Read more…
To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA Read more…
After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t Read more…
After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that Read more…
For the CA to be able to use OCSP, read permission to the private key must be given. Add Read permissions to Network Service on the private key Open the Certificate Templates snap-in. Select the OCSP Response Signing template. Right-click it and click on properties. Go to tab security. Click Read more…
After installing OCSP component in Windows, it is time to configure the service: how OCSP requests are going to be handled; from where to receive the CRL, specify OCSP certificate, etc. Open the Online Responder snap-in. Click on Revocation Configuration. The list of available configuration is empty. Add a new Read more…